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(54) Software virus protection 

(57) A nnethod of protecting a wireless device 
against viruses, comprising maintaining a database of 
virus signatures on the device, updating the database 



by downloading virus signatures in a Short Message 
Service (SMS) IVIessage, and searching for virus signa- 
tures in the memory of or files stored on the wireless 
device by comparison with the database. 
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Description 

[0001 ] The present invention relates to software virus 
protection, and in particular to virus protection for wire- 
less devices. s 
[0002] Viruses are a serious problem to users of com- 
puters. In order to combat the problem, there are a va- 
riety of anti-virus software products available which are 
able to identify viruses resident In the files or memory of 
a computer. Modern anti-virus software, such as for ex- io 
ample F-Secure Anti-Virus for Windows NT, uses a virus 
signature comparison in order to identify viruses. Each 
virus contains code which can be analysed and record- 
ed on a database. The database need not record all of 
the code contained in a virus if a unique "digital finger- is 
pnnt" or signature can be recorded instead. This may 
be for example the overall pattern of the code, or two or 
three particular lines. When a signature comparison is 
made, the anti-virus program searches for viruses by 
scanning afileforthe presence of a virus signature such 20 
as are present in the database. 

[0003] Clearly, if effective protection is to be main- 
tained, the database used by the anti-virus software 
must contain signatures for all known viruses. Unfortu- 
nately, new viruses are detected all the time, currently ^5 
at the rate of one per day. Once a newly detected virus 
has been analysed by the anti-virus software provider 
and a signature created, the database must be updated 
on all of the computers which are using the anti-virus 
software. There have been various methods up until 30 
now for carrying out this update. 

[0004] The earliest method used by virus software 
providers was to send a diskette through the mail to reg- 
istered users of the anti-virus software, this diskette con- 
taining the required updates to the database. Another 35 
method has been to make the virus updates available 
on-line, so that they can be obtained by connecting to a 
remote server mai ntai ned by the anti-virus software pro- 
vider Updates have also been provided in the form of 
attachments to e-mail. 40 
[0005] Increasingly, mobile phones are being used to 
connect to the Internet. Mobile Internet access is being 
facilitated by new networks (incorporating HSCSD and 
GPRS) as well as other protocols such as WAP. As mo- 
bile "platforms" with wireless modems and internet con- 45 
nections become more powerful, Internet connections 
will be as easy to obtain as for a desktop PC. This in- 
crease in the usage and capacity of mobile platforms 
renders them susceptible to attack by viruses. The 
methods outlined above for updating anti-virus software so 
can also be used for mobile platforms. However, in gen- 
eral they will not be permanently connected to the Inter- 
net, and indeed may only connect to the Internet occa- 
sionally. This can lead to the signature database used 
by anti-virus software becoming out of date, rendering 55 
protection incomplete. Out of date protection can be 
worse than no protection at all, as it can engender a false 
sense of security in a user 



[0006] It is, therefore, an object of the present inven- 
tion to provide a means for updating anti-virus signature 
databases on mobile platforms. 

[0007] According to a first aspect, the present inven- 
tion provides a method of updating a virus signature da- 
tabase used by anti-virus software operating on a mo- 
bile wireless platfomn, the method comprising sending 
update data via a signalling channel of a mobile tele- 
communications network to the mobile wireless plat- 
form. 

[0008] The update data sent to the mobile wireless 
platfonn may be a virus signature database update, or 
may be a software update such as a software patch. 
[0009] Preferably the network is a GSM based net- 
work or an evolved GSM network such as GSM phase 
2 (including GPRS) or UMTS (3GPP). 
[0010] Preferably the update data is obtained in one 
or more Short Message Service (SMS) messages. The 
SMS protocol, as set out for example in the ETSI GSM 
03.40 specification, is a protocol which is well known 
and widely used for data transfer between mobile devic- 
es. For example, programs executing on top of the EP- 
OC operating system have access to SMS communica- 
tions. 

[0011] Alternatively, the update data may be carried 
by one or more Unstructured Supplementary Services 
Data (USSD) messages. 

[0012] In order to prevent the update information from 
attack, the payload of the message carrying the update 
data is preferably cryptographically signed. 
[0013] The mobile platfonn may be a mobile tele- 
phone, communicator, PDA, palmtop or laptop compu- 
ter, or any other suitable platform. 
[0014] The mobile platform may send a report to a 
management centre following the successful receipt 
and installation of the update data. More preferably, this 
is returned to a management centre using an SMS mes- 
sage. 

[0015] In a preferred embodiment, the present inven- 
tion provides a method of protecting a wireless device 
against viruses, comprising maintaining a database of 
virus signatures on the device, updating the database 
by receiving data containing virus signatures in one or 
more Short Message Service (SMS) or Unstructured 
Supplementary Sen/ices Data (USSD) messages, and 
searching for viruses contained in the database. 
[0016] Some preferred embodiments of the invention 
will now be described by way of example only and with 
reference to the accompanying drawings, in which; 

Figure 1 is a schematic diagram showing a system 
according to a preferred embodiment of the inven- 
tion; and 

Figure 2 is a flow diagram of a method of protecting 
a mobile device from attack by viruses according to 
a preferred embodiment of the present invention. 

[0017] Figure 1 illustrates a UMTS Mobile Network 



slSDOCID: <EP 1 1B4772A2_I_> 



EP 1 184 772 A2 



3 

comprising a UMTS Terrestrial Radio Access Network 
(UTRAN) consisting of Base Stations (BS) 1 and Radio 
Network Controllers (RNCs) 2, and a core network con- 
sisting of MSCs (and SGSNs) 3 and a transmission net- 
work 4 (RNCs of the UTRAN may be supplemented with 
BSCs to facilitate Interworking with the GSM standard). 
Also present in the core network are a Short Message 
Sen/ice (SMS) centre 5 and a GPRS Gateway Support 
Node (GGSN) 6. For the sake of simplicity. Figure 1 
shows only a single RNC 2 and MSG (SGSN) 3. It will 
be appreciated that further nodes will be present In a 
UMTS network in practice. 

[001 8] A mobile wireless device 7 can connect to oth- 
er teleconnmunication devices (e.g. mobile telephones, 
fixed line telephones, etc) via the UTRAN and the core 
network (of course other networks including "foreign" 
mobile networks and PSTN networks may be involved 
in such connections). Using the GGSN 6, the device 7 
is able to connect to Ihe Internet 8. A user of the mobile 
wireless device 1 may thus contact for example a re- 
mote web server 9 by entering the URL of the web server 
into his device's Internet browser. The mobile device 1 
may also communicate with a bluetooth device 10 and 
a Local Area Network (LAN) 1 1 . By way of example, the 
mobile device 1 may use the EPOC™ operating system. 
[0019] In view of the risk that viruses could be down- 
loaded from another mobile device, from the remote 
server 9 via the Internet 8, from the bluetooth device 1 0, 
or from another node of the LAN 1 1 , the device 1 is pro- 
vided with an anti-virus software application which may 
check any files downloaded from an external source, to- 
gether with files already resident on the device's system. 
As explained above, this software searches files for vi- 
rus "signatures" so that, in order to be fully effective, it 
requires its database of virus signatures to be updated 
regularly. 

[0020] There are various known methods for obtain- 
ing updates to a database of virus signatures. One 
method is to periodically receive media (e.g. floppy 
disks, compact discs) with the updates recorded there- 
on. However, this is a cumbersome and expensive 
method and will result in fewer updates being made, with 
the database never being fully up to date. A better meth- 
od is for the user of the mobile device to contact a remote 
web server operated by the provider of the anti-virus 
software. The necessary data to update the anti-virus 
database can then be downloaded from that server. As 
explained above however, very few mobile devices are 
permanently connected to the Internet, and in may cas- 
es users will only connect to the Internet infrequently. 
This method also relies on the user remembering to con- 
nect to the remote anti-virus server periodically in order 
to obtain the update data. Thus there will again be pe- 
riods of time during which the database is not fully up to 
date. 

[0021] In order to overcome these problems use may 
be made of the SMS centre 5 within the UMTS core net- 
work. SMS is a service provided by current GSM net- 



works for sending short messages over a signalling 
channel, and is expected to be provided also by UMTS 
networks. 

[0022] The SMS centre 5 is located in the core net- 

5 work part of the UMTS network and is coupled to the 
Internet 8 via an anti-virus server 12 which is operated 
and controlled by the UMTS network operator. The anti- 
virus server 12 receives regular updates (e.g. every 
morning) from an update server 13 maintained by the 

10 anti-virus software provider. The SMS server 12 main- 
tains a record of all subscribers to the anti-virus service 
in a database 13, and initiates virus signature database 
updates by sending a Short Message Service (SMS) re- 
quest for each of the registered subscribers (including 

15 the user of the mobile device 1) to the SMS centre 5. 
Upon receipt of a request^ the SMS centre 5 generates 
a corresponding SMS message and send this to the 
destination mobile device via the Mobile Switching Cen- 
tre 3 of the core network and the UTRAN . The SMS mes- 

20 sage contains virus signature data enabling the mobile 
device 1 to update the anti-virus database to include sig- 
natures for those viruses discovered since the last up- 
date was made. 

[0023] As SMS messages can carry only relatively 

25 small quantities of information, it may be necessary for 
the SMS centre 5 to send a "concatenated message", 
(i.e. several SMS messages) to convey all the neces- 
sary infonnatlon to perfomn a database update. For the 
same reason it is desirable to be able to reduce the vol- 

30 ume of infomnatlon sent as part of a virus signature da- 
tabase upgrade. Thus, whilst SMS updates may be sent 
automatically to all subscribers from the network, it is 
preferable to send an SMS message to the server 12 
from a device 1 (via the SMS centre 5), containing de- 

35 tails of which virus signatures are currently stored in the 
device's signature database. On receipt of such an SMS 
request, the anti-virus server 12 needs only to issue an 
SMS request to the SMS centre 5 containing virus sig- 
natures not currently on the signature database of the 

40 mobile device 1 . 

[0024] As noted in the preceding paragraph, SMS up- 
dates may be sent automatically from the network to 
subscribers, or may be triggered by requests from sub- 
scribers. Figure 2 is a flow diagram illustrating the se- 

45 quence of steps involved in a subscriber Initiated updat- 
ing process. The mobile device executes the anti-virus 
software 21. This is usually done when the device is 
switched on. The anti-virus software, which uses a da- 
tabase of virus signatures, checks to determine when 

50 the database was-last updated 22. If the last update took 
place more than a pre-defined period ago, e.g. one 
week, the software causes the device to send an SMS 
message 23 to the server anti-virus 1 2 via the SMS cen- 
tre 5. This message contains data regarding the current 

55 status of the database. 

[0025] In reply to this SMS message, the anti-virus 
server 12 returns an SMS request 24 (or several SMS 
messages forming a "concatenated message") to the 
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SMS centre 5, the request containing signatures for vi- 
ruses discovered and analysed since the previous up- 
date. The SMS centre 5 generates a corresponding 
SMS message 25 and sends this to the mobile device 
1 , which receives the message 26 and causes the new 
signature(s) to be incorporated into the anti-virus signa- 
ture database for future use 27. 

[0026] When next requested, or otherwise triggered 
(e.g. by a scanning scheduler), the anti-virus software 
scans the files and memory of the mobile device in order 
to determine the presence of any of the virus signatures 
in its database 28. If an infected file is discovered 29, 
the user is wamed 30 and given an opportunity to delete 
or clean that file. Otherwise, once all files have been 
scanned, the software informs the user that his system 
is "clean" 31 . 

[0027] It will be appreciated that there are other em- 
bodiments which fall within the scope of the invention. 
For example, the method of the present invention may 
be used to update the anti-virus software itself, e.g. by 
sending software patches. 



9. A method as claimed in claim 8, wherein said re- 
quest identifies the current status of a virus signa- 
ture database. 

5 1 0. A method of protecting a wireless device against vi- 
ruses, comprising: 

maintaining a database of virus signatures on 
the device; 

updating the database by receiving data con- 
taining virus signatures in one or more Short 
Message Service (SMS) or Unstructured Sup- 
plementary Services Data (USSD) messages; 
and 

^5 searching for virus signatures contained in the 

database. 



Claims 

25 

1. A method of updating a virus signature database 
used by anti-virus software operating on a mobile 
wireless platform, comprising sending update data 
via a signalling channel of a mobile telecommuni- 
cations network to the mobile wireless platform. 30 

2. A method according to claim 1 , wherein the update 
data sent to the mobile wireless platform is a virus 
signature database update. 

35 

3. A method as claimed in claim 1 or 2, wherein the 
network is GSM or enhanced GSM network. 

4. A method as claimed in claim 3, wherein the update 
data Is carried by one or more Short Message Serv- 40 
ice (SMS) messages. 

5. A method as claimed in claim 1 , 2 or 3, wherein the 
update data is carried by one or more Unstructured 
Supplementary Services Data (USSD) message. ^5 

6. A method as claimed in any preceding claim, where- 
in the message carrying the update data is crypto- 
graphically signed. 

50 

7. A method as claimed in any preceding claim, where- 
in the mobile platform comprises a mobile tele- 
phone, communicator, PDA, palmtop or laptop com- 
puter. 

55 

8. A method as claimed in any preceding claim, and 
comprising sending the update data in response to 
a request from the mobile platform. 
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